Where Do Security Policies Come From?

Dinei Florencioˆ and Cormac Herley Microsoft Research One Microsoft Way Redmond, WA, USA [email protected], [email protected]

ABSTRACT sistance of the password to brute-force attacks, but re- We examine the password policies of 75 different web- duces usability. Our goal in this paper is to understand sites. Our goal is understand the enormous diversity why there is so much diversity of requirements. That of requirements: some will accept simple six-character is, what causes some sites to require very restrictive passwords, while others impose rules of great complex- policies when others clearly manage with less? ity on their users. We compare different features of the We perform a study of password policies at 75 differ- sites to find which characteristics are correlated with ent sites. These include top, high and medium traffic stronger policies. Our results are surprising: greater sites, universities, banks, brokerages and government security demands do not appear to be a factor. The sites. The policies range from single-character unre- size of the site, the number of users, the value of the stricted passwords, to 12-character passwords that must assets protected and the frequency of attacks show no include upper, and lowercase, digits and special charac- correlation with strength. In fact we find the reverse: ters. The sites also span an enormous range in terms of some of the largest, most attacked sites with greatest traffic, number of user accounts and value of resources assets allow relatively weak passwords. Instead, we find protected. Each of these policies gives us a data point that those sites that accept advertising, purchase spon- on the tradeoff between security and usability as de- sored links and where the user has a choice show strong cided by different people. We examine several of the inverse correlation with strength. factors that might influence the need for greater secu- We conclude that the sites with the most restrictive rity to see if there is correlation with enforced password password policies do not have greater security concerns, strength. they are simply better insulated from the consequences Our results are somewhat surprising. We find that of poor usability. Online retailers and sites that sell ad- none of the factors that might require greater security vertising must compete vigorously for users and traffic. seems a factor. The size of the site, the number of user In contrast to government and university sites, poor us- accounts, the value of the resources protected, and the ability is a luxury they cannot afford. This in turn sug- frequency of non-strength related attacks all correlate gests that much of the extra strength demanded by the very poorly with the strength required by the site. Some more restrictive policies is superfluous: it causes con- of the largest, highest value and most attacked sites siderable inconvenience for negligible security improve- on the Internet such as Paypal, Amazon and Fidelity ment. Investments allow relatively weak passwords. We also examine several factors unrelated to security. We find 1. INTRODUCTION that sites that accept advertising, purchase adwords, have a revenue opportunity per login, or where the user Passwords remain the dominant means of authentica- has choice, tend to have less restrictive policies. For ex- tion to web sites. Different sites have different policies: ample, we find median password policy strength of 31 some insist on very complex passwords, while some al- bits for banks and 19.9 bits for .com sites, but 43.7 and low relatively weak ones. Complexity increases the re- 47.6 for .edu and .gov sites respectively. Our analysis suggests that strong-policy sites do not have greater security needs. Rather, it appears that they are better insulated from the consequences of imposing poor usability decisions on their users. For commercial retailers Copyright is held by the author/owner. Permission to make digital or hard like Amazon, and advertising supported sites like Face- copies of all or part of this work for personal or classroom use is granted without fee. book, every login event is a revenue opportunity. Any- Symposium on Usable Privacy and Security (SOUPS) 2010, July 14–16, thing that interferes with usability affects the business 2010, Redmond, WA USA directly. At government sites and universities every lo- . gin event is, at best, neutral, or, at worst, a cost. The Site Len Char. Sets Strength consequences of poor usability decisions are less direct. cdph.ca.gov 8 3 (3 out of U, L, N, S) 47.6 That simple difference in incentives turns out to be a cps.ca.gov 9 2 (UorL + NorS) 46.6 better predictor of password policy than any security requirement. This in turn suggests that some of stronger Table 1: CA.GOV policies found. policies are needlessly complex: they cause considerable inconvenience for negligible security improvement. Why do password policies matter? In 2010 there are ap- two distinct published password policies, which we list proximately 1.7 billion Internet users [1]; in 1990 there in Table 1. While these vary in detail, they conform to were fewer than 3 million [2]. Thus, there are proba- the general clustering we find in Section 3.2. In these bly about 10 billion password protected accounts in use cases, we document the first published policy that we today, and this number is growing rapidly. Thus, in found. Thus, while there is no guarantee that we find the tradeoff between security and usability, erring on the only password policy in force at a university, there the side of unnecessarily strong policies causes an enor- should be no bias in the policies indicated in Table 7. mous usability burden and consumes cognitive effort that could be better spent elsewhere. 2.1 Measuring Password Strength Strength is intended to measure the resistance of a 2. METHODOLOGY password to brute-force attacks. Measuring the strength We have gathered the password policies from the 75 of an individual password is non-trivial. Obviously length sites listed in Table 7. Our means of selecting sites is and composition (i.e., number of different character sets) as follows. We’ve chosen sites in several different cate- are good and increase the strength. Obviously, dictio- gories: top, high, and medium traffic sites, banks and nary membership, repeated characters and consecutive brokerages, universities, and government sites. The top, sequences (e.g., “abcedf” or “asdfgh”) are bad and re- high and medium traffic sites are drawn from particu- duce it. Password-strength meters usually use a com- lar ranges on the traffic site www.quantcast.com. The bination of length and composition to gauge strength; banks are the top commercial banks and brokerages in some check against a basic dictionary to flag the most the US as ranked by the Federal Financial Institutions common passwords. However, there does not appear to Examinations Council FFIEC) [17]. The universities be a universally agreed-upon means to measure strength. selected are the ten largest universities in the US by Measuring the strength of a policy is different. The student enrolment. The government sites are the ten intent of a policy is, presumably, to force that all users highest traffic rank sites with top-level domain .gov. employ minimally strong passwords. To measure the We have also added a few other categories of sites to minimum strength of the policy we use Nmin log2 Cmin check particular hypotheses, or for comparison interest. where Cmin is the cardinality of the minimum character We added the top ten ranked Computer Science depart- set required, and Nmin is the minimum length. For ex- ments. ample, the strength of a policy that requires 6-character To understand password policies we have wherever passwords that allows digits would be 6×log2 10 ≈ 19.9 possible opened an actual account. We indicate in the bits. A policy that requires 8 character upper, lower “Acct” column of Table 7 whether we have set up an case letters and digits would be 8×log2(26+26+10) ≈ account or not. When we have, this means that we have 47.6 bits. Table 2 gives examples of several different verified the minimum allowable password strength. On policies and their strength under this measure. This the site www.facebook.com, for example, we have veri- is clearly an approximate measure of strength, and ar- fied that a 6-digit PIN is acceptable by setting the pass- guments could be made whether this represents a true word for an account controlled by one of the authors. measure of the difficulty of attacking passwords that For some of the sites, we have been unable to set up conform to the policy. Burr et al.[42] estimate that accounts. For these we rely on published password poli- user chosen passwords have far less entropy than a ran- cies. Searching for these policies was done manually us- domly chosen password. The six character lowercase ing an Internet search engine. When this is the case we password “hwlbzu” is probably far more secure than give a hyper-link to the source of the policy information the eight character “Pa$$w0rd” even though the first in the electronic version of this paper. Some sites (par- belongs to a 28-bit policy, and the second to a 52-bit ticularly universities and government sites) can have policy. However this measure captures the strength of many different computer systems. For example, stu- passwords that minimally conform to the policy. Since dents at the business school may use an entirely dif- users appear to gravitate toward the weakest passwords ferent system with entirely different policies from un- allowed by the policy of a site [18] this probably gives dergraduates. Thus, some of the university policies we a representative picture of the burden. indicate may be merely department policies. In the case Some sites have positional restrictions on the charac- of the government site ca.gov, for example, we found ters. For example, schwab.com requires (see https:// Length CharSets Strength 6 N 19.9 The purpose of password policies is to reduce certain 6 LN 31.0 attacks on user accounts. Principally these are: 6 UL 34.2 6 ULNS 39.5 • Online brute-force attacks 8 N 26.6 • Off-line attacks on the file of hashed passwords 8 ULN 47.6 8 ULNS 52.7 • Password re-use across sites. 10 N 33.2 10 L 47.0 Strength policies, of course, have no influence on attacks 10 ULNS 65.8 such as phishing, keylogging, session hijacking etc.

Table 2: Example password policies and their 2.2.1 Online Brute-force Attacks associated strengths. The symbols U, L, N, and A basic brute-force attack occurs when an attacker re- S stand for upper, lower, numbers and special peatedly tries many passwords for a single user account. characters. For example “N” implies that digits It is standard practice to guard against this attack by alone are acceptable, while ULN indicates that locking an account, for example, after a threshold num- both upper and lower-case along with digits are ber of unsuccessful login attempts. For example, if an required. account is locked for 24 hours after three unsuccessful attempts, then even a 6-digit PIN can withstand 100 www.schwab.com/library/html/Privacy.html#Password):years of sustained attack [21]. More flexible lockout “Your password must be 6-8 characters long. It also strategies, that render the attacker’s job even harder, must: while inconveniencing legitimate users less, are also possible [38]. Thus a good lockout policy effectively makes • Include both letters AND numbers. direct brute forcing on a single account infeasible. The • Include at least one number BETWEEN the first Denial of Service (DoS) vulnerability that it opens is and last character. a price that many large sites have decided they must accept or manage through back-end fraud detection. • Contain no symbols (!, %, #, etc.)” A bulk-guessing attack occurs when the attacker dis- The second restriction (that there be a number between, tributes the guesses among many different accounts [31, i.e., not at the beginning or end) increases the bur- 21]. Thus, rather than send one million password at- den on the user but is not captured by our measure of tempts against a single account (which will be blocked strength. Since only 5 of 75 sites in Table 7 have po- by the lockout policies) the attacker may send one at- sitional restrictions we believe that ignoring this effect tempt each against a million different accounts. This has minor influence on our analysis. type of attack is much harder to address using lockout Thus, while the measure we use of policy strength is policies, since no account receives an unusual amount of imperfect, it is adequate for our needs. Further this traffic. However, it does require that the attacker know, measure appears to preserve the ordering of policies in or guess, a large collection of account usernames. It is terms security and of burden on the user. We are pri- only feasible against sites with enormous user bases [21]. marily interested in the struggle between usability and It also ensures that the attack is un-targeted: the at- security. Password strength gives a crude one dimen- tacker has no control over which account he will break. sional measure of both of those things. This strength measure roughly preserves the ordering of difficulty of 2.2.2 Off-line Brute-force Attacks brute-forcing passwords. That is, sites with higher min- To authenticate a user at login requires verifying that imum strength have passwords that are harder to brute- the correct password has been entered. The best prac- force than those with lower. The security ordering is tice regarding the handling of passwords is to store, not approximate; i.e., differences of a few bits may not be the password itself, but a hashed version. By comput- meaningful. Strength also gives a measure of of usabil- ing the hash of what the user enters the server can ver- ity that approximately preserves ordering: sites with ify whether this matches the hashed password on file. lower strength have fewer restrictions and thus allow Thus, there is no need for the server to retain a copy of passwords that are easier for users to choose and re- user passwords, and it is regarded as bad practice to do member. Again the the ordering is approximate. Our so (although certain sites do [29]). Further, the pass- conclusions will not depend on small differences in strength. word is generally salted with a per-account salt before hashing: 2.2 What Threats Do Password Policies Ad- dress? Salted Hash = hash(password.salt), where “.” denotes concatenation. The salt can be position requirements. For example, one site requires stored alongside the username and the salted hash. Thus that every password contain one of the two symbols ‘%’ the file of hashed passwords might have rows of the and ‘-’. Alternatively, positional requirements, such as form: “one number between the first and last characters” (second of Schwab’s requirements) can have this effect. In [username, hash(password.salt), salt]. our examination we found that such rules are rare. We To authenticate a user the server need merely recalcu- found this only 5 cases out of 75 had positional require- late the salted hash and compare with the stored value. ments. While complex rules may make cross-sharing of Off-line attacks on the file of hashed passwords are a passwords harder, and this is often suggested as a best serious threat. A person who obtains the hashed pass- practice, we found little to suggest that this is a primary words file might then deploy a tool such as JohnTheRip- goal of password policies. per [3] to crack the passwords. This attack is frequently cited as the disgruntled employee attack: someone who 3. THE DATA obtains a copy of the file might afterward attack the The data we have gathered is presented in Table 7. hashes of all user accounts at leisure, since no lockout The traffic rank, and the determination of whether the policy limits the number of trials. The attacker can site accepts advertising are drawn from www.quantcast. try passwords as quickly as his machine can calculate com which tracks data for advertisers. hashes. Several protections are employed against this risk. 3.1 Diversity of Password Policies First, the salt that is added before hashing prevents a In Figure 1 we plot strength vs. number of sites, show- rainbow attack [36], in which the attacker pre-computes ing the distribution of policies. We first observe that the hashes of common passwords and strings. This en- there is great diversity in policy strengths. There is lit- sures that even common passwords such as “abcdefg” tle sign of an industry-standard or preferred policy. The will require significant effort to brute-force. Second, an diversity of strengths suggests that policy decisions are iterated hash, which is designed to be slow to compute, made more or less independently at different sites. Sec- can be used to slow down any brute-forcing attempt. ond, there is an enormous range of strengths. Certain For example, if the hashing algorithm is hash(password.salt) =sites have truly weak policies: Wikipedia for example SHA1M (password.salt) then SHA1 is computed M times allows single digit passwords, as do a few of the medium before producing the output. This introduces an M-fold traffic sites. Since Wikipedia allows edits without log- delay into computing the hash. This slows the verifica- ging in, passwords don’t necessarily protect much by tion process for the user scarcely at all, but slows the way of privilege or resources. Even if we ignore such off-line attacker down by a factor of M. Obviously, M sites, and restrict attention to those that involve email, is chosen so that acceptable delay is presented to the commerce etc, there is a 30-bit range from low to high. user. Ranging from 20 bits at the low end (e.g., Facebook, Finally, and most importantly, the site must guard Live, Amazon etc) to 52+ bits at the high end (e.g., against access to the file. For any off-line attack to make Princeton, CMU, UsaJobs.gov) there is an enormous sense the attacker must have read access to the hashed range. The weaker policies are far weaker than the password file. In addition he should lack write access. strong. If passwords were randomly chosen, the weakest If the attacker has write access he might as well write Amazon passwords would come into range after about his own hash and effectively change the user’s password; of 220 ≈ 106 attempts, and UsaJobs passwords after he can change it back after he has accessed the account 252 ≈ 4.5×1015 attempts. That is, there are nine orders to avoid arousing suspicion. For web accounts neither of magnitude difference between how hard it is to brute- read nor write access will be available to an attacker force an Amazon password and a UsaJobs.gov one. Do who lacks administrative privileges. Thus it is purely the security requirements of Amazon and Usajobs.gov an administrator, and more likely an ex-administrator, really vary that much? that is the main risk. 3.2 Clustering 2.2.3 Password Re-use Across Sites In spite of the diversity of strengths the policies listed Some sites have policies that make password shar- in Table 7 are far from random. Some patterns are very ing difficult. For example, the third requirement in evident. In Table 3 we show the median strength by Schwab’s policy above (which forbids symbols) ensures category. There is clear clustering of policy strength that no Schwab password could also be used at CMU by category. For example all of the high traffic sites (which requires them). It is possible that this is not ac- have relatively weak policies, with a median of 19.9 cidental: perhaps some sites choose restrictive policies bits. Banks and brokerages have a mixture ranging to discourage password re-use across sites? This would from weak to medium strength with median of 31.0. be most easily accomplished by truly capricious com- Universities and government sites, with a few excep- Median 60%

Site Policy Strength COM Top Traffic 19.9 50% EDU High Traffic 19.9 GOV Medium Traffic 8.3 40% Financial 31.0 30% Large Universities 44.5

Top CS Depts 46.4 20% Government 47.6 All .com 19.9 10% All .edu 43.7 0% All .gov 47.6 <15 15-25 25-35 35-45 45-55 55+ minimum required bit strength Table 3: Median strengths of policies for various groupings. Figure 2: Histogram of policy strengths by ﬁrst level domain. Observe that .coms tend to adopt 20 signiﬁcantly less stringent policies. 18

16 14 lowing sections we examine features of the sites that 12 might force some sites to require more secure policies. 10 All sites, of course, must guard against both online and 8 off-line brute-force attacks. Some sites manage this with 6 far lower strength policies than others. Are there rea- 4 sons that make the stronger-policy sites more likely to 2 be attacked? Or is the additional strength demanded 0 by those sites superfluous? <15 15-25 25-35 35-45 45-55 55+ minimum required bit strengh 4.1 Are Password Policies Based on Observa- tion and Evidence? Figure 1: Histogram of policy strengths. Ob- We should first consider whether policies are based on serve that policies span an enormous range: 55 evidence. For example, might it be the case that sites bits is enormously stronger than 20 bits. have, by trial and error, reached the policy needed to protect their resources? For example, might those with stronger policies have seen greater attacks and learned the need for greater security? We now argue that this tions, have very strong policies with medians of 43.7 is not the case for several reasons. and 47.6 respectively. We divide the data of Figure 1 by top level domain and plot the policy strengths of the 1. Policies cannot be changed easily .com, .edu and .gov sites in Figure 2. A very clear 2. Only when policies are too lax does a site get any pattern emerges: the .com sites are separated from the evidence of brute-forcing .edu and .gov. They have respective median policy strengths of 19.9, 43.7 and 47.6. 3. Best practices prevent gathering of data It is possible that not all sites make independent de- 4. Sites cannot necessarily distinguish brute-force from cisions. The clustering that is clear among the .edu other attacks. and .gov sites might suggest that some sites may decide policies based on what their peers do, or on some First, a trial and error approach to policy is hard. guidelines. For example government and university sites Tightening and loosening policy to explore the feasabil- may be under greater pressure to comply with the NIST ity space is not practical. [42] or DoD [8] password guidelines. Second, it is not surprising that evidence does not appear to guide policy formation. Policies that are sig- 4. FACTORS THAT MIGHT INFLUENCE nificantly too weak would be the best source of data: only by making the mistake of being too lax can we STRENGTH AND USABILITY determine where significant breaches occur. However We now examine several factors that might explain policies that are strong enough to repel brute-force at- the stronger policies of some sites. In each of the fol- tacks do nothing to tell us how much cushion the policy provides. Such a policy gives us no data on whether the Min. policy is far too strict, a little too strict or just right. Site Users Rank Strength Third, the best practices for handling passwords makes Facebook 400 million 2 19.9 gathering of such evidence hard. Best practice is to Yahoo! 260 million 3 19.9 store not the password, but its salted hash (see Section Live 260 million 8 19.9 2.2.2). Thus, in general, the site has no information Gmail 91 million 1 26.6 about the strength of user passwords. It has no means Twitter 76 million 31 19.9 of determining, for example, whether users who report Ohio State 51800 1811 41.4 account hijacking have weaker passwords than average. Arizona State 51200 3288 47.6 To make this determination it would be necessary to U. of Florida 50900 1382 47.6 store strength information. This would be very risky: U. Minnesota 50400 919 35.7 if an attacker obtained strength measures in addition U. Texas 49000 946 47.6 to the file of hashed passwords this would give him a road-map as to which to attack first. Table 4: Number of users at five top traffic Finally, it is hard to determine whether bulk guess- sites, and five largest universities. University ing is responsible for hijackings. Here, since the at- numbers are undergraduate enrollment, so may tacker distributes his tries among many accounts, there understate the true number of users by 50% or will be little trace in the logfiles. One million accounts so to account for faculty, staff and graduate stu- might each have a single unsuccessful login attempt, dents. but it is exceedingly difficult to link this information with a successful login. Thus, when the owner of the hacked account complains or raises the alarm, it is by pattern emerges. Again, the reverse is the case: the no means simple to determine whether they were a vic- larger the site the weaker the policy it forces on users. tim of phishing, keylogging or bulk-guessing. Thus, we Thus, we reject the hypothesis that traffic or number of reject the hypothesis that evidence of actual brute-force users explains the increase strength of the strong-policy attacks forms policy. sites. 4.2 What is The Size of the Service? 4.3 Is the Username Public? A factor that might generate the need for greater se- The bulk-guessing attacker must either know or be curity is the size of the service. A potentially serious able to guess the usernames of a large number of users. threat for web-sites is that of a bulk-guessing attack The attack requires that he distribute the guesses among [26], explained in Section 2.2.1. This requires that the many accounts, and thereby evade both lockout and attacker can determine, or guess, the usernames of a fraud detection. In Section 4.2 we examined size as one large number of users [21]. So this attack works best attribute that aids the bulk-guessing attacker. How- against very large sites, and those where the username ever, for sites where the username is public, there is is known. For very large sites, that have tens or even also little difficulty obtaining the list. Email accounts, hundreds of millions of users, it is safe for an attacker to for example, aren’t private; they are, by nature, public. assume that the username space is fairly well occupied. For some sites, e.g., email accounts, the username is vis- Thus, if bulk guessing is a major threat we would ex- ible to an attacker or can be determined. For example, pect to see some correlation between strength require- many companies have email accounts for employees of ments and the number of user accounts at a site. If the form: [email protected]. This we take traffic as being correlated with number of users makes bulk guessing against the email portal simple if Table 7 makes clear that no such relation holds. In fact a list of employees can be obtained. Thus, we might ex- the weakest policies are found at the sites with highest pect that if the username is public a stronger password rank. For clarity we pull the top five traffic, and top five policy must be imposed on users. universities and tabulate in Table 4. The largest, top For email providers, social networking and auction traffic sites on the Internet have weaker, not stronger sites we consider username to be public. Thus for a policies than those further down the list. Thus, an in- majority of the top traffic sites username is public. It verse relation appears to hold between traffic and the used to be common practice for banks and brokerages strength of the password policy that a site forces on its to use either Social Security Number (SSN) or account users. number as the username. For example, some banks Since traffic correlates only approximately with num- originally gave existing customers online access using ber of user accounts in Table 4 we also tabulate the their SSN as username and ATM card PIN as password. number of users of various different sites. If bulk-guessing This eased the way toward getting many customers on- is a significant threat then we would expect to see larger line quickly without the need for expensive in-person sites force stronger password policies. Again, no such bank visits, or phone support. Most banks now ap- Min. the attacker wants, but money. Monetizing a hijacked Site Assets Strength account can itself be a difficult process. In fact there Bank of America $2.2 trillion 41.0 are numerous accounts that stolen credentials are of- Chase $2.0 trillion 36.2 fered for sale on underground markets for fractions of Citibank $1.8 trillion 31.0 their apparent face value [39, 30, 25, 24]. The amount Fidelity $1.4 trillion 19.9 of money that can be extracted from an account is not WellsFargo $1.2 trillion 31.0 necessarily related to the net assets. If there is a corre- Vanguard $1.0 trillion 26.6 lation between value of resources and strength of policy Paypal $290 billion∗ 26.6 it it more likely to be extractable assets that will pre- dict the need for more stringent policies. The greater Table 5: Value of assets and password strength. the extractable value of an account to an attacker, the Except where noted the assets data comes from greater we would expect the security required of users the FFIEC [17]. Fidelity and Vanguard assets to be. from their press sites. ∗For Paypal we list their Fortunately, we have a means of estimating which annual transaction volume, since they do not sites attackers value most. Password brute-forcing is manage assets. merely one means of account hijacking. There are many other attacks on account credentials, among which phishing is one of the most popular. In seeing which sites are pear to offer the option of using a chosen username, most targeted by phishers we get an indication of which and some mandate changing away from SSN. Account accounts are most valuable to them. We tabulate the numbers are printed on checks and cannot be consid- number of distinct phishing attacks targeting sites on ered private. SSN is marginally private information. In our list in Table 6. The data comes from Avira’s 2009 fact, Acquisti and Gross [9], show that SSNs are in cer- study of the subject [12]. As can be seen, Payal, Chase tain cases predictable from entirely public data. While and eBay dominate the list. Interestingly, brokerages difficult to generalize, for financial institutions the user- with large assets under management, like Fidelity, Van- name is public, even though many are making effort to guard and Schwab don’t even make the list. Presumably end this practice. For universities in many cases the it is a great deal easier to get money from a hijacked username is also an email address, and is thus public. Paypal account than a Fidelity one. University usernames tend to be public, but so also Paypal is clearly the favorite target of phishers. Thus, are those of top traffic sites and email providers. Thus, it’s attractiveness to attackers is not in doubt. It does while there is no reverse correlation we reject the hy- not seem plausible that Paypal is targeted (relative to pothesis that having a public username drives the re- other sites) a great deal by more phishers than by brute- quirement of policy strength. If the largest email providers, forcers. Thus Table 6 offers a crude guide to extractable such as hotmail, Yahoo! and Gmail can manage with assets. Paypal, Chase and eBay all have high extractable weak policies it doesn’t appear that visibility of the value and yet have relatively weak policies. Thus it does username makes bulk guessing sufficiently bad to war- not appear that higher extractable value explains the rant increased strength. difference between strong and weak policy sites. 4.4 What is the Value of the Resources Pro- 4.6 Who Lives with the Consequences of a tected? Breach? A very obvious possible determinant of security re- When a free web-mail account is compromised it is quirements is the value of the resources protected. Greater largely the user who bears the direct consequences. While security is probably warranted for financial accounts there are support costs, and loss of reputation, the re- than social networking ones. For the financial sites we sources protected behind many free sites belongs to the tabulate the assets under management in Table 5. It is user. This situation may be different at other sites. difficult to compare assets across the site categories se- We investigate the hypothesis that web-sites insist on lected. However, it is hard to argue that value of assets greater strength when they bear the cost of a breach. are responsible for strong policies at UsaJobs.gov when For financial institutions, ironically, the institution we compare with Fidelity or Paypal. Thus, the sites has most to lose. This is the case, at least in the US, in Table 5 provide counter-examples to the hypothesis since losses due to unauthorized transfers are governed that value of assets might be the determinant in requir- by Regulation E of the Federal Reserve [4]. This cov- ing stronger policies. ers all transfers except by check and credit card, and limits the user’s liability to $50 if the loss is reported 4.5 What is the Extractable Value of the Re- within two days of discovery. Some of the institutions sources Protected? go beyond this. For example, Wells Fargo, in their on- In most cases of cybercrime it is not the password line security guarantee states [6] “We guarantee that Min. ergy and push policies in the direction of greater pass- Site Phishing Strength word strength. In the preceding sections we examined Paypal 32205 27 several of these forces and found no strong reason to Chase 25901 27 explain the difference between those with stronger poli- eBay 18738 31 cies and weak. Now we examine several factors that Bank of America 4540 41 might tend to push strength policies down. That is, IRS 3712 47 all sites desire security, which exerts upward pressure Citibank 2265 31 on strength policies. If there were no cost to this then Facebook 2217 20 all sites would choose very complex password policies. Gmail 761 27 However, sites also desire usability for their users, which Yahoo! 761 20 exerts downward pressure. The more usable a site the WellsFargo 541 31 more users are attracted to it. Attracting, and keeping users is an imperative for many web businesses. Traf- Table 6: Number of phishing sites attacking fic translates into revenue for sites that are advertising various sites in 2009. Observe that the order- supported. We now examine whether there is inverse ing is very different from the listing of financial correlation between accepting advertising and password sites by assets in Figure 5. Paypal is the favorite strength. target of phishers, while Fidelity, which has $1.4 In Table 7 we tabulate whether a site accepts third- trillion under management doesn’t even feature. party advertising or not. As can be seen, the majority The phishing data comes from Avira [12]. of top traffic sites are advertising supported. Banks, universities and government sites are not. In Figure 3

45% we show the histograms of sites that accept and do not

40% accept advertising. The diﬀerence in histograms shows Accept Ads the stark contrast between the policies these two types 35% no Ads of sites. The median strength for those that do is 19.9 30% bits, while it is 41.4 for those that do not. 25% This suggests a partial explanation of the question

20% that has vexed us. The large .com sites live or die by the traffic they generate. The more users login and use 15% their service the more traffic and revenue they generate. 10% For example, Facebook, of course, wants as many users 5% as possible. In addition, it wants them logging in as of- 0% ten as possible. Compromised user experience leads to <15 15-25 25-35 35-45 45-55 55+ minimum required bit strength less usage. Strong passwords diminish the user experience in that they are harder to remember. Forgetting a password, and going through the password reset proce- Figure 3: Histogram of policy strengths by sites dure is inconvenient. Thus there is a powerful economic that accept advertising and those that do not. incentive for advertising supported sites to make pass- The median strength when the site accepts ads words as usable as possible. Thus for sites that accept is 19.9 bits and 41.4 when it does not. advertising there is a force opposing those that push for greater strength. Advertising is one way in which web-sites generate you will be covered for 100% of funds removed from revenue. For many sites this is far from being the dom- your Wells Fargo accounts in the unlikely event that inant source of revenue however. Retailers such as Ama- someone you haven’t authorized removes those funds zon, clearly have a revenue opportunity every time a through our Online Services.” Similarly, Fidelity’s Cus- user logs in. Brokerages, such as Fidelity, Schwab and tomer Protection Guarantee reads [5] “We will reim- Vanguard also have a revenue opportunity at each lo- burse your Fidelity account for any losses due to unau- gin. Every time a stock, bond, or mutual fund is bought thorized activity.” Thus banks and brokerages provide or sold they make a commission, even if there is no ad- counter-examples to the hypothesis that this explains vertising. As a for-profit university, where a large por- the difference between strong and weak policy sites. tion of student interaction is online, the University of Phoenix also has a revenue opportunity per login, even 4.7 Is Advertising Accepted? though it does not accept advertisements. Thus, even We have so far examined the trends that might push among those that do not accept advertising, several of strength policies upward. For example, number of users those with less restrictive policies have less restrictive and value of assets might tend to increase the attack en- policies. 4.8 Does the Site Advertise? visits a physical premises. With a university, on the An even more direct measure of the desire to attract other hand, a student’s main contact is off-line. traffic is whether the site itself advertises. This is evi- This distinction is important as it indicates how much dence that it spends money to attract users. We now choice the user has at the time the online account is examine whether a site buys the Google adwords that created (i.e., when a password that conforms to policy is correspond to its name. For example, when searching being chosen). For purely online accounts the user still for “Fidelity” the first link is a sponsored one point- has considerable choice at the time of account creation. ing to www.fidelity.com, indicating that Fidelity has Rather than open an Amazon account he can choose any bought this adword. Adwords are decided by auction, other online retailer. Rather than choose Gmail, he can thus Fidelity has bid (and is paying) more than any choose Yahoo! or hotmail for a webmail account. This other site was willing to pay to have their site appear in is not the case with universities or government sites. a privileged position in response to that query. Spon- A student at Ohio State, or most other universities, is sored links appear either above or to the right of the already a student when he sets up an account. The web ranked links returned. In the second to last column of site is a monopoly provider of particular online services Table 7 we tabulate whether we found sponsored links to the student body. Going to a different provider, or in response to Google queries that were paid for by, even choosing not to bother, is not an option. The and pointed to the site. To ensure our result is unbi- University of Phoenix appears to be the only example ased we searched only for the name of the institution, of the universities studied where the user has choice at both with and without spaces between words. Thus, for the time of account creation. We tabulate whether the overstock.com we searched both for “overstock” and user has a choice in the last column of Table 7. “over stock.” Finding a sponsored link in this way cer- At .gov sites, again users have no choice. There is tainly tells us that the site purchases adwords, whereas only one Social Security Administration, one Internal failure to find does not mean that no adwords are pur- Revenue Service, and one office of the Census. Figure chased. Some conclusions emerge. First, the top and 4 shows the histogram of strengths for the cases where high traffic sites generally do not buy sponsored links. the user does, and does not have choice. At a majority These sites are large enough that they are ranked as the of the financial sites the user has no choice; i.e., the first returned link for a query “facebook” or “ebay.” It relationship with the bank is probably already estab- makes little sense to pay Google for a sponsored link if lished prior to opening the web account. Paypal is an the site itself is the first returned page. If we ignore the exception, since, for most users, is it an exclusively on- top and high traffic sites the median policy strength is line relationship. In Figure 4 we display the histogram 28.8 bits for those tat purchase adwords, and 41.4 for of sites where the user does and does not have a choice. those that do not. The median strength for those where the user does is This feature is most interesting in the case of finan- 19.9 bits, while it is 41.5 where the user does not. When cial and government institutions and universities. The the user has a choice at the time of account creation financial institutions, with the sole exception of JP Mor- the site must compete for the the account. The large gan Chase return a sponsored link. For the universi- gap in median policy strength between these two cases ties the reverse is the case: only University of Cen- suggests that sites that compete actively for users and tral Florida and University of Phoenix purchase spon- traffic believe that restrictive policies can reduce traffic. sored links that point to their site. Not only does it place sponsored links for the query “University of 5. DISCUSSION Phoenix” but several other queries such as ”Univer- sity,” “College,” “Degree” all produce links sponsored 5.1 Security Demands, Usability Demands and by phoenix.edu. None of the .gov sites purchase spon- Equilibrium sored links. Thus willingness to pay to attract traffic In our examination of security requirements (Sections correlates well with less stringent policies. 4.1 - 4.6) we failed to find any positive correlation between increased security demands and password strength. Those sites with more restrictive policies do not appear 4.9 Does the User have a Choice? to have greater security concerns. In our examination Just as there is diversity in the services offered by the of other factors (Sections 4.7 - 4.9) we did find that sites, there is diversity in the nature of the users’ rela- those sites which accept advertisements, purchase ad- tion with the site. With sites such as Facebook, Ama- words and where the user has choice, appear to have zon, and Yahoo! the relation is entirely online, while less restrictive policies. These factors have in common with others it is the online portion of an interaction that they indicate that the site competes for users and that takes place primarily in the off-line world, That is, traffic; anything that affects usability has a negative a Facebook user opens and manages his account online; impact. he never speaks to Facebook on the phone, and never This suggests that policy is determined, not by the 50% attacks only. The examples of Amazon, Paypal and Fi- 45% delity prove that sensible lockout policies and fraud de-

40% Choice tection ensure that this can be done at relatively mod-

35% no Choice est strengths. If the ﬁle of hashed passwords cannot

30% be protected, then greater strength gives some protection against attacks on the hashed passwords. Thus 25% stronger policies protect, not against online attacks on 20% user accounts, but against failure to protect the hashed 15% password file. 10% This is interesting since it suggests that sites with 5% stronger policies do not offer better protection against 0% online attacks, they merely shift some of the burden <15 15-25 25-35 35-45 45-55 55+ minimum required bit strength of protecting against off-line attacks to the user. The cost of relatively weak password policies does not appear to be increased success of brute-forcing. Rather, Figure 4: Histogram of policy strengths by sites it is that these sites must invest greater effort to ensure where the user does and does not have choice that the file of hashed passwords never leaks. The ben- at the time of account creation. The median efit is that they offer a more usable experience to their strength when the user has a choice is 19.9 bits, customers. When sites enforce very restrictive policies and 41.5 when he does not. it does not appear that they see brute-forcing less. The benefit is that they enjoy some cushion in the event that the hashed passwords ever leak. The cost for this security demands of the site, but by an equilibrium cushioning is borne by their users. reached between the competing demands of security and Our conclusion on password strength is informed by usability. Security exerts an upward pressure, while us- data. Some of the most attacked sites on the web man- ability exerts a downward pressure. Most of the sites we age with passwords of length 6 or 8. Several require two have examined have considerable security requirements. character sets; e.g., lowercase and digits, or lower and It is not plausible, for example, that sites like Amazon, upper case. After this, explicitly forbidding common Paypal and Fidelity persist with policies that do not passwords such as “abcdef” appears a better approach allow them to protect user accounts from brute-force than imposing additional complexity. Looking at Ta- attacks. The security demands of their businesses are ble 7, insistence upon special characters in the pass- at least as great as any of the sites we have examined; word appears to be the exclusive preserve of those insu- and yet they manage to meet them with relatively un- lated from the effects of poor usability. Equally, (again restrictive policies. Thus, it does not appear to be secu- from Table 7) the practice of forcing regular password rity requirements that explain the diversity of password changes, which Spafford [16] suggests “has little or no policies, but the different degrees to which sites face the end impact on improving security” is mostly enforced consequences of poor usability. At Amazon, Paypal and by university and government sites. Facebook the consequences of poor usability are great. Everything is optimized to make account creation and 5.3 Policies Do not Need to Tighten With Time login as simple as possible. Any sub-optimality in ei- Increasing amounts of cybercrime, identity theft and ther leads to lost revenue. The voices that argue for phishing are often invoked as reasons for increasingly more restrictive policies meet vigorous push back. At stringent password requirements. We argue that this government and university sites, by contrast, every lo- view is incorrect: there is no reason why password poli- gin event is either a matter of indifference or a cost, and cies in 2010 need be any stronger than they were in the direct consequences of poor usability are small. The 2000. Moore’s law and reductions in the cost of compu- data confirms that, at these sites, voices that argue for tation have no influence whatever on online brute-force more restrictive policies have an easier task. attacks. Advances in cracking software, faster hardware, or more hardware, do not make the online at- 5.2 How Strong do Passwords Need to be? tacker’s job easier. He is limited by the lockout policy, How strong a password needs to be seems to depend which limits his attempts per unit time and fraud de- on whether we must protect against online or off-line at- tection. It is worth noting that improvements in off-line tack. In turn, this question seems to reduce to whether brute-force attacks can also be limited. If M is chosen we can prevent the file of hashed passwords from leaking to generate a fixed delay per hash computed, this can to an attacker or not (i.e., whether we deal with the at- be increased as machine speeds improve. A 10× im- tack of Section 2.2.1 or Section 2.2.2). If the file can be provement in compute ability can be accommodated by protected, then we need worry about online brute-force replacing SHA1M () with SHA110M (). There have been a number of breaches involving passwords are facing exhaustion [32]. Numerous alternatives words recently. Twitter was the subject of large online to text passwords have been proposed. These include brute-force attack [7]. Failure to lock accounts after graphical passwords [27], and one time passwords [22, several attempts allowed compromise of several user ac- 20]. Florêncio et al.[21] suggest that password strength counts. Recently Twitter announced a requirement that for web accounts is not as important as frequently as- users strengthen passwords. Rather than increase from sumed. They argue that when there is only an on- the current bit-strength of 19.9, they explicitly rule out line brute-force attack adequate lockout policies make the 370 most common passwords. RockYou also had brute-forcing infeasible. In one of the most closely re- a recent attack. Their site had a SQL injection vul- lated works Mannan and van Oorschot [33] examine nerability and an attacker gained access to (and posted usability in online banking. They study policies be- online) 32 million passwords that were kept in the clear. yond passwords, and find that compliance is in some Rockyou also announced changes to password policies: cases almost impossible. Herley et al.[13] examines the instead of an unconstrained 5-character password users state of passwords and why better progress has not been must chose 8-character passwords with with at least two made toward stronger authentication methods. Beaute- of upper, lower case, numbers and special characters. ment et al.[10] suggest that users have a finite budget Thus, an attack unrelated to password strength caused for dealing with security policies, and that increasing a tightening of strength policy. As Zwicky points out complexity in one area must be matched by reductions [15] “the strength of peoples’ passwords at RockYou was elsewhere. Herley [23] suggests that users behave ra- totally irrelevant.” The Imperva analysis [28] suggests tionally in ignoring recommendation to choose stronger that a brute-forcing strategy against RockYou would passwords and other security advice. The recommenda- have yielded a significant fraction of accounts. Yet, the tions place considerable burden on them, and deliver lit- need for stronger user passwords is a strange conclusion tle reduction in risk. Sasse et al.[34] investigate strate- to draw from this episode: we do not know if any of the gies to enhance password strength and security, while accounts were brute-forced, but we do know that 100% reducing the burden on users. Very recently, Bonneau of them were compromised. The RockYou user who and Preibush [29] performed a study of how passwords chose a 10-character complex password suffered exactly are handled at 150 different web-sites. Theirs is the the same fate as the one who chose “abcdef.” only other work we know of that attempts to gather and interpret such a large collection of policies and 6. RELATED WORK practices. Inglesant and Sasse [37] examine password The literature on passwords and alternative means of practices in several organizations and suggest that se- authentication is vast. There has been a growing lit- curity managers systematically underestimate the cost erature documenting that users are overwhelmed with that stringent policies impose. If, as this paper sug- password policies and the difficulty of choosing, remem- gests, those policies are unnecessarily stringent this im- bering and maintaining many different accounts. Adams plies that much of this cost is wasted. Several other and Sasse [11] show that choosing and remembering authors have recently suggested that our practices on strong passwords is a challenge for many users. Zurko security matters may be outdated and in need of revi- and Simon [35] is an early example calling for secu- sion. Bellovin [40] suggests that “security by checklist” rity policies that pay attention to the burden placed is producing perverse outcomes. on users. Norman probably speaks for many when he speaks of his frustration with the Northwestern Univer- 7. CONCLUSION sity password policies [14]: “Because when security gets Where do security policies come from? Our online in the way, sensible, well-meaning, dedicated people de- and off-line lives are full of examples of security policies velop hacks and workarounds to defeat it.” Incidentally, that restrict our behavior. We run anti-virus and choose the Northwestern policy that Norman cites (listed in Ta- strong passwords. We remove our shoes and laptops and ble 7) is among the least restrictive university policies. restrict ourselves to 3 oz. quantities of liquids and gels. In earlier work we document that users often choose While most of us understand and accept that there is a weak passwords and re-use them liberally [18]. In study- tradeoff between security and convenience, how and by ing the behavior of half a million users we discovered whom is this tradeoff decided? Few would argue with that users generally gravitate toward the weakest pass- getting a lot more security for a little inconvenience. words allowed by policy, that they have on average 25 But, if the decision-making process is obscure how can passwords each, and re-use each password across 6.5 we be sure we’re not getting lots of inconvenience for sites. Gaw and Felten [41] also study password habits little improvement in security? When the US Trans- in a user study of undergraduates. They find lower portation Security Administration decided to impose a numbers of accounts and re-use rates, but did find that rule forbidding passengers to leave their seats or have both increased steadily with time. anything on their lap in the last one hour of flight the St. Clair et al.examine the question of whether pass- outcry was immediate: “the people who run America’s airport security apparatus appear to have gone insane” //www.ffiec.gov/nicpubweb/nicweb/Top50form.aspx. (the Economist Dec. 27, 2009). Absent such absurdi- [18] D. Florêncioand C. Herley. A Large-Scale Study of Web ties it is hard to tell whether security policies have the Password Habits. WWW 2007, Banff. [19] D. Florêncioand C. Herley. Stopping Phishing Attacks convenience-security tradeoff just right, or whether they Even when the Victims Ignore Warnings. MSR Tech. are overshooting greatly and imposing considerable in- Report, 2005. convenience for marginal benefit. [20] D. Florêncioand C. Herley. KLASSP: Entering Passwords on a Spyware Infected Machine. ACSAC, 2006. Our conclusions suggest that, at least in the case of [21] D. Florêncio,C. Herley, and B. Coskun. Do Strong Web passwords, exactly such an overshoot occurs. Some Passwords Accomplish Anything? Proc. Usenix Hot Topics of the largest and most attacked sites on the web al- in Security, 2007. low 6 character PINS or lowercase passwords. By con- [22] N. Haller. The S/KEY One-Time Password System. Proc. ISOC Symposium on Network and Distributed System trast, government and university sites generally have far Security, 1994. stronger (and far less usable) policies. The reason we [23] C. Herley. So Long, And No Thanks for the Externalities: suggest lies not in greater security requirements, but in The Rational Rejection of Security Advice by Users. NSPW 2009, Oxford. greater insulation from the consequences of poor usabil- [24] C. Herley and D. Florêncio.A Profitless Endeavor: ity. Most organizations have security professionals who Phishing as Tragedy of the Commons. NSPW 2008, Lake demand stronger policies, but only some have usabil- Tahoe, CA. ity imperatives strong enough to push back. When the [25] C. Herley and D. Florêncio.Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the voices that advocate for usability are absent or weak, Underground Economy. WEIS 2009, London. security measures become needlessly restrictive. The [26] K. Hole, V. Moen, and T. Tjostheim. Case Study: Online watchers must be watched, not merely to ensure that Banking Security. In IEEE Security and Privacy, pages 14–20, 2006. they do not steal or cheat, but also to ensure that they [27] I. Jermyn and A. Mayer and F. Monrose and M.K. Reiter do not decide to make their job a little easier at the cost and A.D. Rubin. The Design and Analysis of Graphical of great inconvenience to everyone else. Passwords. In Usenix Security, 1999. [28] Imperva. Consumer Password Worst Practices. [29] J. Bonneau and S. Preibusch. The Password Thicket: 8. REFERENCES technical and Market Failures in Human Authentication on [1] http://www.internetworldstats.com. the Web. WEIS, 2010. [2] http://www.worldmapper.org/display.php?selected=336. [30] J. Franklin and V. Paxson and A. Perrig and S. Savage. An [3] http://www.openwall.com/john/. Inquiry into the Nature and Causes of the Wealth of [4] Regulation E of the Federal Reserve Board. Internet Miscreants. Proc. CCS, 2007. http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c= [31] K. J. Hole and V. Moen and T. Tjostheim. Case Study: ecfr&sid=0283a311c8b13f29f284816d4dc5aeb7&rgn= Online banking Security. IEEE Security & Privacy div9&view=text&node=12:2.0.1.1.6.0.3.19.14&idno=12. Magazine, 2006. [5] The Fidelity Customer Protection Guarantee. http:// [32] L. St. Clair and L. Johansen and W. Enck and M. Pirretti personal.fidelity.com/accounts/services/findanswer/ and P. Traynor and P. McDaniel and T. Jaeger. Password content/security.shtml.cvsr?refpr=custopq11. Exhaustion: Predicting the End of Password Usefulness. In [6] Wells Fargo: Online Security Guarantee. https://www. Proc. of 2nd Intl Conf. on Information Systems Security wellsfargo.com/privacy_security/online/guarantee. (ICISS), 2006. [7] Wired: Weak Password Brings ‘Happiness’ to Twitter [33] M. Mannan and P.C. van Oorschot. Security and Usability: Hacker. http://blog.wired.com/27bstroke6/2009/01/ The Gap in Real-World Online Banking. NSPW, 2007. professed-twitt.html. [34] M.A. Sasse, S. Brostoff and D. Weirich. Transforming the [8] Department of Defense Password Management Guideline. “weakest link”: a human-computer interaction approach to Technical Report CSC-STD-002-85, U.S. Dept. of Defense, usable and effective security. In BT Technology Journal, Computer Security Center, 1985. 2001. [9] A. Acquisti and R. Gross. Predicting Social Security [35] M.E. Zurko and R. T. Simon. User-Centered Security. Numbers from Public Data. Proc. Natl. Acad. Science, NSPW, 1996. 2009. [36] P. Oechslin. Making a faster crytanalytical time-memory [10] A. Beautement, M.A. Sasse and M. Wonham. The trade-off. Advances in Cryptology - CRYPTO 2003, 2003. Compliance Budget: Managing Security Behaviour in [37] P. Inglesant and M. A. Sasse. The True Cost of Unusable Organisations. NSPW, 2008. Password Policies: Password use in the Wild. CHI, 2010. [11] A. Adams and M. A. Sasse. Users Are Not the Enemy. [38] P.C. van Oorschot, S. Stubblebine. On Countering Online Commun. ACM, 42(12), 1999. Dictionary Attacks with Login Histories and [12] Avira TechBlog. The Most Phished Brands of 2009. Humans-in-the-Loop. ACM TISSEC vol.9 issue 3, 2006. http://techblog.avira.com/2009/12/19/ [39] R. Thomas and J. Martin. The Underground Economy: the-most-phished-brands-of-2009/en/. Priceless. Usenix ;login:, 2006. [13] C. Herley, P.C. van Oorschot and A.S. Patrick. Passwords: [40] S. Bellovin. Security by Checklist. IEEE Security & If We’re So Smart Why Are We Still Using Them? Proc. Privacy Mag., 2008. Financial Crypto 2009. [41] S. Gaw and E.W. Felten. Password Management Strategies [14] D.A. Norman. The Way I See It: When security gets in the for Online Accounts. Proc. SOUPS. way. Interactions, 16(6):60–63, 2009. [42] W. E. Burr, D. F. Dodson W. T. Polk. Electronic [15] E. Zwicky. Brute Force and Ignorance. ;login, April 2010. Authentication Guideline. In NIST Special Publication [16] E.H. Spafford. Security Myths and Passwords. 800-63, 2006. http://csrc.nist.gov/publications/ http: // www. cerias. purdue. edu/ site/ blog/ post/ nistpubs/800-63/SP800-63V1_0_2.pdf. password-change-myths/ . [17] Federal Financial Institutions Examination Council. Top 50 Bank Holding Companies 2009. http: Traffic Min. Char Min. Exp. Posn. Accepts Places User Site Rank Acct. Len. Sets Strength (days) Restrc? Ads?7 Ads?8 Choice?9 Top Traffic Sites1 Google2 1 Y 8 1 26.6 N N Y Y Y Facebook 2 Y 6 1 19.9 N N Y N Y Yahoo! 3 Y 6 1 19.9 N N Y N Y Youtube 5 Y 6 1 19.9 N N Y N Y AOL 6 Y 8 1 26.6 N N Y N Y Live3 8 Y 6 1 19.9 N N Y N Y Wikipedia 9 Y 1 1 3.3 N N N N Y eBay 10 Y 6 2 31.0 N N Y Y Y Amazon 11 Y 6 1 19.9 N N Y Y Y ask 12 Y 6 1 19.9 N N Y Y Y weather 13 Y 6 1 19.9 N N Y N Y answers 15 Y 1 1 3.3 N N Y N Y Myspace 16 Y 6 2 31.0 N N Y N Y Craigslist 17 Y 6 1 19.9 N N N10 N Y adobe 20 Y 6 1 19.9 N N N Y Y High Traffic Sites1 nih.gov 101 N 8 3 53.6 60 N N N N capitalone.com 102 Y 8 2 41.4 N N N Y N rockyou.com 103 N 8 2 41.4 N N Y N Y typepad.com 106 Y 6 1 19.9 N N Y Y Y overstock.com 107 Y 5 1 16.6 N N N Y Y latimes.com 108 Y 6 1 19.9 N N Y N Y intuit.com 109 Y 6 1 19.9 N N Y N Y cbssports.com 110 Y 4 1 13.3 N N Y N Y Medium Traffic Sites1 wowwiki.com 1001 Y 1 1 3.3 N N Y N Y virginia.edu 1002 N 6 2 36.2 Y N N N pgatour.com 1003 Y 1 1 3.3 N N Y N Y hollywood.com 1004 Y 1 1 3.3 N N Y N Y mit.edu 1006 N 6 2 31.0 N N N N N okcupid.com 1007 Y 4 1 13.3 N N Y N Y istockphoto.com 1008 Y 5 2 25.8 N N N Y Y highschoolsports.net 1010 Y 1 1 3.3 N N Y N Y Banks and Brokerages Fidelity 224 Y 6 1 19.9 N N N Y N Vanguard 629 Y 8 1 26.6 N N N Y N Schwab 2266 N 6 2 31.0 N Y N Y N WellsFargo 80 Y 6 2 31.0 N N N Y N BoA 48 Y 8 2 41.4 N N N Y N JP Morgan Chase 2186 N 7 2 36.2 N N N N N Citibank 316 Y 6 2 31.0 N N N Y N PayPal 29 Y 8 1 26.6 N N Y Y Y US Bank 316 N 8 1 26.6 N N N Y N Large Universities4 Ohio State U 1811 N 8 2 41.4 365 N N N N Arizona State U 3288 N 8 3 47.6 180 N Y N N U. of Florida 1382 N 8 3 47.6 N N N N U. of Minn. 919 N 6 3 35.7 N N N N N U. of Texas 946 N 8 3 47.6 N N N N N U. Central Florida 6313 N 8 3 47.6 N N N Y N Continued on Next Page. . . Traffic Min. Char Min. Exp. Posn. Accepts Places User Site Rank Acct. Len. Sets Strength (days) Restrc? Ads?7 Ads?8 Choice?9 Michigan State U 1174 N 8 3 47.6 N N N N N Texas A& M 1418 N 6 3 35.7 183 N N N N U South Florida 2364 N 6 3 35.7 183 N N N N Penn. State U 977 N 8 2 41.4 183 N N N N Univ top CS Depts5 MIT 1006 N 6 2 31.0 N N N N N Stanford 858 N 8 3 47.6 180 N N N N UC Berkeley 905 N 8 2 41.4 N N N N N CMU 3651 N 8 4 52.0 365 N N N N UIUC 3384 N 8 1 26.1 365 N N N N Cornell 955 N 7 3 41.7 183 N N N N Princeton 1879 N 8 4 52.7 N N N N N U. of Washington 1032 N 8 2 45.6 N N N N N Georgia Tech. 4687 N 8 3 47.6 N N N N N U. of Texas 946 N 8 3 47.6 N N N N N Government1 irs.gov 63 N 8 3 47.6 90 N N N N usps.com 6 68 Y 8 3 47.6 N N N N N nih.gov 101 N 8 3 47.6 60 N N N N ca.gov 124 N 8 3 47.6 N N N N N ed.gov 141 Y 8 1 26.6 N N N N N noaa.gov 199 N 12 3 77.1 60 Y N N N weather.gov 228 N 12 3 77.1 180 N N N N census.gov 246 N 8 3 47.6 N Y N N N ssa.gov 276 N 7 2 36.2 N N N N N nasa.gov 342 N 12 4 79.0 N N N N N Other sites U. of Phoenix 873 Y 7 2 36.2 N N N Y Y Columbia 1350 N 6 2 31.0 N N N N N Northwestern 4457 N 6 2 31.0 548 Y N N N VA 558 Y 8 4 52.7 N N N N N USAJobs 590 Y 8 4 52.7 N N N N Y TreasuryDirect 2421 Y 8 3 47.6 N N N N N Twitter 31 Y 6 1 19.9 N N N N Y Table 7: The Sites Examined.

1 Traffic info from QuantCast.com. We investigated password policies for sites 1-20, 100-110, 1000-1010, and for top 10 government sites. We did not find policies for sites # 18 (about.com), # 104 (lowermybills.com), #105 (wheatherbug.com), # 1005 (taboolasyndication.com), and #1009 (inklineglobal.com). 2 Google Account is also used on the site Blogger.com (# 14 in traffic). 3 LiveID is used in four of the top 20 sites: MSN (# 4), Microsoft (# 7), Live (# 8), and Bing (# 19). 4 Top 10 US universities by 2006 enrollment. 5 Top CS Depts as per U.S.News. 6 usps.com handles the redirected traffic from usps.gov. 7 Advertising info from QuantCast.com. 8Does it purchase the AdWords for the name of the institution? 9 Does the user tpically have a relationship with the institution even before first login to the site? 10 Craigslist does, of course, accepts ads, but it does not accept paid advertising.